UNIX File Security

Users, groups, /etc/passwd and /etc/group files and superuser

File /etc/passwd contains definitions of user accounts, one per line. (See it online). Every item consists of fields separated by colons. For instance:

abcd1234:x:1001:1001:Tom Sawyer:/usr/users/abcd1234:/bin/tcsh

The consecutive fields have the following meanings:

abcd1234 -- username
x -- formerly this field was used for a password, now it always contains the same value "x".
1001 (the first occurrence above) -- user id (uid)
1001 (the second occurrence above) -- default group id (gid) of that user
Tom Sawyer -- any information the system administrator wishes to store
/usr/users/abcd1234 -- the home directory of the user
/bin/tcsh -- the default shell of the user.

File /etc/group contains definitions of groups of users. A group can be defined by the system administrator to facilitate joint work on a project, so that its members can share files easier. The /etc/group file defines one group per line. Every group definition consists of fields separated by colons. Here are two examples:

abcd1234:x:1001:
faculty:x:999:teterwa,fairchlr,plazaja,hartdr,gutiers

Consecutive fields have the following meanings:

abcd1234 -- group name
x -- formerly this field was used for a group password, now it always contains the same value "x"
1001 -- group id (gid)
the last filed may contain a list of users, separated by commas, who belong to the group. If the last field is empty then the only member of the group is the user for whom this group is the default group (as specified in /etc/passwd.)

In the passwd file there is always a definition of an account called root. This account is used by the system administrator when he/she needs a "superuser" status. The superuser can manipulate all files independently of their ownership and permissions. Superuser can add/delete/modify users and groups; these operations are typically performed by executing appropriate scripts.

On many Linux systems every user account is created with a default group which has the same name as the user and with the gid equal to the uid; the group does not have any members except that user. On most Unix systems every user account is created with a default group being "users"; every user on the system belong to that group. See the discussion of set group id for directories for explanation why the arrangement in Linux is better than the one in Unix.

Useful commands

id -- lists current user's id (uid), username, default group id of that user and group name and all id's and names for all groups the user belong to.
groups -- list the groups of the current user

Permissions on newly created files and umask

New files are typically created by an editor, compiler or by copying an existing file. The shell remembers a value, called umask, which determines permissions on newly created files. Umask consists of three digits, each in range 0-7; a value such as 27 means 027. Important command:

umask
get the value of umask

It is useful to think that

any text editor attempts to give a new file permissions rw-rw-rw- (i.e. 110 110 110),
the C compiler compiler attempts to give a new executable file permissions rwxrwxrwx (i.e. 111 111 111),
cp attempts to give a new file permissions identical to those of the original file.

however the editor, C compiler and cp will take the values of decimal digits of umask, translate them into binary and compute the resulting permission by means of the following operation:

attempted	0	1	1
binary digit in umask	1	0	1
result	0	1	0

This means, a 0 in umask allows the attempted value to go through, and a 1 in umask blocks the attempted value.

Here is a complete example:

editor attempts: this means:	rw- rw- rw- 110 110 110
umask = 27 = 027, which means:	000 010 111
result of the bitwise operation: which means:	110 100 000 rw- r-- ---

While specifying umask the following values of decimal digits are of practical importance:
7 = 111 means give no access
6 = 110 means block rw, do not block x (this is useful for directories)
2 = 010 means block w, do not block rx
0 = 000 means do not block rwx
The remaining values of decimal digits, although possible, in are less useful or not useful at all:
5 = 101 and 4 = 100 would block reading but allow writing;
3 = 011 and 1 = 001 would block executing but allow reading; this would be a small hurdle not a real security restriction: the person who can read a file, can copy it and make the copy executable.

As it makes sense to make the permissions for the user (owner) least restrictive, and the permissions for others most restrictive, it makes sense to have the three decimal digits of the value of umask in the non-decreasing order. Also it is typical to use in the umask the value 0 for the user (owner) and it would be foolish to use the value 0 for others.

These considerations imply that the following values of umask are of practical importance; they are given here in the order from most to least restrictive.

	077
	\|
	067
/		\
027		066
\|	\	\|
007		026
\|	/	\|
006		022
\		/
	002

In new accounts on our system the default umask is 077.

You can change the umask by means of the following command:

umask VALUE
define umask to have VALUE (in the current shell and its children).

Special permission bits
Besides r, w, x permissions discussed so far there are: t (sticky bit) and s (set uid/gid) bits. With these bits the file owner can allow others to write files into his/her directory in a controlled manner.

Sticky bit
Sticky bit, denoted t, is now in use only in the case of directories. Compare these two scenarios:

chmod a=rwx DIRECTORY or chmod 777 DIRECTORY
This causes that every user can write a file into DIRECTORY but also that every user can delete every other user's file from that directory; this is not a good arrangement.
chmod a=rwx,o+t DIRECTORY or chmod 1777 DIRECTORY
This causes that every user can write a file into DIRECTORY but only the user who wrote it can delete it.

Sticky bit is used on /tmp directory; while using ls -l it is displayed as a t in the place of the executable bit for others: drwxrwxrwt. It is a limitation of Linux and Unix systems that chmod g+t is not valid. Experiment on-line.

The group associated with newly created file and set group id bit (sgid bit) on a directory
The mechanism of sgid on a directory described in this section is used in Linux but unfortunately not in most commercial implementations of Unix.

The set group id bit (sgid bit), denoted by s in the place of the executable permission for the group, can be set on a directory using a command such as:
chmod u=rwx,g=rwxs,o= DIRECTORY
If you wish to use with chmod numeric values, sgid bit is represented by value 2000, so
the command above is equivalent to
chmod 2770 DIRECTORY

Notice that you can change the group associated with a file (any file: regular, directory, ...) by using the following command:
chgrp GROUP FILE
For this to work, you must be a member of GROUP.

Assume that user abcd1234 has default group abcd1234; Assume that user efgh5678 has default group efgh5678. Assume that both users belong also to group project1. Assume that each users has umask 027. Assume that user abcd1234 executes these commands:

mkdir project_dir
chgrp project1 DIRECTORY
chmod g=rwx DIRECTORY

In this scenario, user efgh5678 can create files in DIRECTORY; all such files will have group efgh5678 associated with them. This means the files created by user efgh5678 will not be readable by anyone other than the user efgh5678 unless .

Now assume that while preparing DIRECTORY user abcd1234 executes not chmod g=rwx DIRECTORY but
chmod g=rwxs DIRECTORY
(notice the sgid bit).

In this second scenario, user efgh5678 can create files in DIRECTORY, and because of the suid bit on DIRECTORY, all such files will have group project1 associated with them. This means the files created by user efgh5678 will be readable also by user abcd1234, and (same as previously) because of the value 7 in the 027 of the umask, the files will not be readable by non-members of project1.

Set user id bit (suid bit) and set group id bit (sgid bit) on a regular file.

You already know that every file has a user owner and a group owner. When you run an executable file a process is created. Every process has real and effective user and group ownerships.

When user1 whose default group is group1 executes a file

-rwxr-sr-x user2 group2 file

the resulting process has group2 as the effective group owner, this means the process has all the privileges of group2.